Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

How to generate ECDSA/EC certs ? 

Jul 18, 2014 08:48 AM

Introduction :

 

The Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. ArubaOS provides Elliptic Curve Digital Signature Algorithm (ECDSA) certificate support for EAPTLS v1.2 (AAA FastConnnect), IKE server, and Site to site VPN

 

Feature Notes : Support for Suite B algorithms was introduced in Windows Vista, and certification authority (CA) support for Suite B algorithms was introduced in Windows Server 2008.
Microsoft web enrollment (https://<server IP>/certsrv) is not supported for Version 3 certs (EC certs are considered V3)

 

Answer :

 

 

The controller performs native certificate authentication using IKEV2 and therefore the certs must be capable of ECDSA (default templates only support RSA)

To generate an elliptic curve CSR on controller:

(hostname)#crypto pki csr ec curve_name <secp256r1 or secp384r1> common_name     <name> country <US> state_or_province <state> city <city> organization <org> unit <unit>     email <email>


CA Certificate Generation process :

Reinstall AD Certificates Services role and navigate to link for step by step instructions on generating an EC CA cert

http://technet.microsoft.com/en-us/library/ff829847%28v=ws.10%29.aspx
 

On the Configure Cryptography for CA page, select the following options, and then click Next:

  • For CSP, select ECDSA_P256#Microsoft Software Key Service Provider.

  • For Key Character Length, select 256.

  • For the Hash Algorithm, select SHA256.



Server Certificate Generation process :

Duplicate web server template and follow the steps in the link to create an EC server cert
http://technet.microsoft.com/en-us/library/ff829847%28v=ws.10%29.aspx


On the Cryptography tab, define the algorithm and key size to be used when requesting this certificate.

  • For Algorithm name list, select ECDH_P256

  • For Minimum key size list, type 256.

  • For the Request hash list, select SHA256.



User Certificate Generation process :

Duplicate user template and follow the same steps that were used to create the EC server cert

To sign the controller CSR use the following elevated command on the CA signing the cert (must run the command from the same folder that the CSR is stored)
C:\Users\admin\Desktop>certreq.exe –submit –attrib “certificateTemplate:<template name>” <filename>.csr <filename>.cer

To request a user cert follow the below steps:
 

  • Type certmgr.msc in the search pane (start / search);
  • Right click on Personal folder;
  • Click on All Tasks;
  • Click Request New Certificate (must have network access to CA in your domain);
  • Click Next , click Next;
  • Check the box of the certificate template name you are requesting (User Suite B);
  • Click Enroll



Uploading elliptic curve server and CA certs to controller :

Navigate to Configuration> Management > Certificates page from the Upload tab.
Copy the exported certificates to your management station. The first upload will be for the CA Root elliptic curve certificate.

 

  • Provide a Certificate Name, Browse to the CA Root certificate location & Select
rtaImage.png

 
  • Select “PEM” for Cert Format & “Trusted CA” for Cert Type. Upload the cert.

rtaImage.png


 

  • Successfully uploaded CA Root Certificate
rtaImage.png



  • Next, upload the elliptic curve Server certificate that was exported during the Windows Server 2008 R2 Installation.
Provide a Certificate Name, browse to cert location, & select the Server certificate
 
rtaImage.png


 
  • Select “PEM” for Cert Format, Server Cert for Cert Type, & Upload
rtaImage.png


 
  • Successfully uploaded Server Certificate
rtaImage.png

 
  • View & Verify General / Details on the elliptic curve CA/Server Certificate

 

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.